Citrix Gateway Connector 编辑

Citrix Gateway Connector is a Citrix component which serves as a channel of communication between Cloud services (Secure Private Access service, ADM, and so on) and on-premises components such as Web servers. It is a virtual appliance compatible with Citrix Hypervisor, VMware ESXi, and Microsoft Hyper-V with a small form factor. Citrix Gateway Connector facilitates the remote access to the Enterprise web apps.

Important:

• Citrix Gateway Connector is planned to be deprecated in the upcoming release. Citrix recommends that you migrate to Connector Appliance that is a single Zero Trust Network Access connector. For details on Connector Appliance, see Connector Appliance for Cloud Services.

• To migrate your Gateway Connector to Connector Appliance, see Migrate Gateway Connector to Connector Appliance.

• For TCP apps, Connector Appliance must be used.

How it works

Citrix Gateway Connector authenticates and encrypts all communication between Citrix Cloud and your resource locations. The communication between the Citrix Gateway Connector and Citrix Cloud is outbound. All connections are established from the Citrix Gateway Connector to the cloud using the standard HTTPS port (443) and the TCP protocol. No incoming connections are accepted. TCP port 443, with the following FQDNs are permitted outbound:

• *.nssvc.net
• *.netscalermgmt.net
• *.citrixworkspacesapi.net
• *.citrixnetworkapi.net
• *.citrix.com
• *.servicebus.windows.net
• *.adm.cloud.com

Note:

If there are SSL intercepting devices in the on-premises data center where the Citrix Gateway Connector must be deployed, the connector registration does not succeed if SSL interception is enabled for these FQDNs. The SSL interception must be disabled for these FQDNs for successful connector registration.

Capabilities of Citrix Gateway Connector

The following are some of the capabilities of Citrix Gateway Connector.

• Acts as a reverse proxy – Citrix Gateway Connector acts as a reverse proxy to Enterprise Web apps. The required web application ports must be opened from the Gateway Connector to the apps.
• Enables single sign-on: The Citrix Gateway Connector provides the following single sign-on capabilities with the Secure Private Access service.
  • Basic SSO
  • Kerberos
  • Form-based
  • SAML
  • No SSO

For details, see Support for Enterprise web apps and Support for Software as a Service apps.

System requirements

Citrix Gateway Connector is a virtual appliance. The minimum system requirements for the Citrix Gateway Connector are as follows:

• Number of vCPUs must be exactly 2.

• 4 GB RAM minimum.

  Important:

  The new minimum system requirement for RAM has changed. If you have an existing Citrix Gateway Connector, upgrade the system memory of your virtual machines to match the new requirement of 4 GB RAM.

For details, see Upgrade the system memory of Citrix Gateway Connector virtual machines.

• 1 Network Adapter (virtual NIC). You can add an extra virtual NIC upon requirement.

• Firewall:

  • UDP port 53 to DNS server
  • TCP and UDP port 389 to Active Directory Domain Controllers (optional * - * is described at the end of the page)
  • TCP port 636 to Active Directory Domain Controllers (optional *)
  • TCP port 3268 to Active Directory Domain Controllers (optional *)
  • TCP port 3269 to Active Directory Domain Controllers (optional *)
  • TCP port 443, with the following FQDNs are permitted outbound:
    • *.nssvc.net
    • *.netscalermgmt.net
    • *.citrixworkspacesapi.net
    • *.citrixnetworkapi.net
    • *.citrix.com
    • *.servicebus.windows.net
    • *.adm.cloud.com
  • TCP ports (**) to Web servers accessed using Citrix Gateway Connector

  • Open port 8443 inbound for web-based management

    * - Required to perform domain-based single sign-on to Web applications **- Ports determined by the customers’ environment – ports 80 and 443 are typical

Recommended: Network with DHCP enabled to simplify the initial configuration.

Ways to install Citrix Gateway Connector

Citrix Gateway Connector can be installed in one of the following ways.

• From the Citrix Cloud user interface
• While adding an Enterprise Web app

In both cases, you must create a new virtual machine as described in the following section.

Create a new virtual machine

1. Sign in to Citrix Cloud.
2. From the menu in the top left of the screen, select Resource Locations.
   • If you have no existing resource locations, click Download on the Resource Locations page. When prompted, save the cwcconnector.exe file. For details, see Cloud Connector Installation.
   • If you have a resource location but no Cloud Connectors installed in it, click the Cloud Connectors bar and then click Download. When prompted, save the cwcconnector.exe file.

3. Click Gateway Connectors.

4. Select the hypervisor and click Download Image. Import the locally downloaded image to your hypervisor and create a new virtual machine (Citrix Gateway Connector).

5. Click Get Activation Code.

6. The activation code is generated as follows.

   

7. Once the installation is complete, Click Detect.

Install the Citrix Gateway Connector by using the Citrix Cloud user interface

The following are the steps to set up a resource location and install Citrix Gateway Connector using the Citrix Cloud user interface:

1. On top left of the Citrix Cloud screen, click the hamburger icon and select Resource Locations. Click the plus icon next to Resource Locations.

2. Provide a name for the resource location and click Save.

3. Double-click the plus icon next to Citrix Gateway Connectors under the newly created resource location.

4. Complete the steps as described in Create a new virtual machine.

Install Citrix Gateway Connector while adding an Enterprise Web app

While adding an Enterprise Web app using the Secure Private Access service user interface, you can set up a new resource location and download connectors. For details on adding an Enterprise Web app, see Support for Enterprise web apps.

To set up a resource location and download connectors, perform the following steps:

1. In the Web app connectivity section, select the Create New radio button. Provide a name for the resource location and click Save.

2. Click Install Citrix Gateway Connector.

   

3. Complete the steps as described in Create a new virtual machine.

Access the Citrix Gateway Connector user interface by using the URL

You can access the Citrix Gateway Connector user interface by using the URL that is displayed in one of the messages on the newly installed Citrix Gateway Connector VM. You can also log on to the Citrix Gateway Connector CLI as an administrator and run the show ipcommand for viewing the IP address assigned to the Citrix Gateway Connector through DHCP. Then you can open https://<IP address>:8443 on your browser to access the Citrix Gateway Connector admin user interface.

Important:

For Azure, Citrix recommends that customers access the Citrix Gateway Connector user interface from inside the Azure Virtual network.

Log on and set up the Citrix Gateway Connector

After the Citrix Gateway Connector installation is complete, look for the following message on the newly installed VM (Citrix Gateway Connector).

Type the mentioned URL in a browser to access the Citrix Gateway Connector user interface. You can also log on to the Citrix Gateway Connector CLI as an administrator and run the show ipcommand. The command displays the IP address assigned to the Citrix Gateway Connector through DHCP. Then open <https://IP address:8443> on your browser to access the Citrix Gateway Connector admin user interface.

1. The user name and password for the following screen is administrator for the first time user.

   

2. Change the password by providing a password of your choice in the Set administrator password section and click Continue.

3. Enter the following configuration details in the System settings section and click Continue.
   • Connector IP Address – IP address of Gateway Connector.
   • Subnet Mask – Subnet mask of the Gateway Connector IP address.
   • Default Gateway – IP address of the default gateway.
   • DNS Server – IP address of the DNS server. Starting from Citrix Gateway Connector release 13.0, there is a change in the DNS server configuration. For details, see the section Changes to the DNS server settings.
   • Proxy IP – Your internal proxy server IP address.
   • Proxy Port – Port of the proxy server.

   

   Changes to the DNS server settings:

   Starting from Citrix Gateway Connector 13.0.400.xxx, the DNS configuration for both UDP and TCP protocol on the connector appliance is updated automatically when it is set in the System Settings section. However if you upgrade your connector from earlier versions, you have to manually delete the DNS setting and read it again. To do so, perform the following.

   1. Navigate to the Citrix Gateway Connector dashboard > Edit Settings.
   2. Click the delete icon next to the first DNS Server field and click Continue.
   3. Navigate to the Edit Settings page, read the same DNS server, and click Continue.
   4. Repeat the steps for the second DNS server. Note:
      • You do not have to perform these steps for new instances of the 13.0 Citrix Gateway Connector.
      • You need not perform the earlier mentioned steps immediately after the upgrade. There is no loss of functionality if this is not done. These steps must be performed for enterprise customers who require DNS over TCP Functionality to make Enterprise Web apps to function correctly.

4. In the Single sign on section, check Enable Kerberos Single Sign On for capabilities beyond the basic authentication.

   Active directory domain is the global domain and is set as the realm of the KCD account. If you want to override the global realm of the user, then you can use the following command in the connector. SSH to your gateway connector using the same credentials that you use to log on to the connector configuration page. Type the following command:

   set kcdaccount ngs_kcdaccount -userRealm <value>
   <!--NeedCopy-->